Lenovo and Superfish adware... does it really matter?

By Dr. Guy Bunker @guybunker

Stethoscope on a laptop

There was a big story earlier this month about the installation by Lenovo of adware on its consumer laptops. The adware, or ‘Superfish’ as it quickly become known, was one of a number of pre-installed packages which consumers could fully install if they wanted – the idea behind it is to help consumers find the cheapest version of what they are looking for. Which, on the face of it seems like a good idea. I’m sure that the folks at Lenovo thought it would be a good selling point as well.

Most manufacturers pre-install third party pieces of software for consumers to try and if they like them, buy, and this isn’t the first time that a manufacturer has been caught out by installing software which turns out to be less than good. The Sony DRM ‘rootkit’, back in 2005, was probably the first piece of software which was installed ‘for good’ but turned out to be ‘bad’ and it got so bad at one point that there were articles written on removing all the bloatware that came with a new PC. Today, when there is 1TB of space on a laptop, a few hundred MB of rubbish doesn’t make the headlines.

Perhaps, like the Sony scandal, the real challenge that Lenovo has is that the application they installed has far-reaching effects on every web page, including all those which are through secure HTTP/S. So, even if you are going to your bank, the software can intercept the traffic, decrypt it and insert adverts. However that process opens the user up to a whole heap of privacy violations – which is why there has been such an outcry, and rightly so. I doubt the developers of the adware thought about the privacy angle, they probably came up with a ‘smart’ idea which would allow them to serve ads even in encrypted traffic – which seemed like a good idea at the time. I suspect they are re-thinking that now... as are Lenovo and all the other manufacturers who ship pre-installed trialware.

So, what now?

Well, in this case Lenovo (and most of the anti-virus manufacturers) have issued a ‘fix’ to remove the adware and in Lenovo’s case to stop it being part of the standard image that they ship with their laptops, however this doesn’t mean it won’t happen again – and who knows whether the next time, it might be real malware which goes unnoticed for many months. It will be interesting over the next 6, 12, 18 months if the reputational damage that Lenovo has suffered will effect sales – I suspect it will, but they will recover.

As for the impact on businesses?

In most cases, the problem probably doesn’t exist as a new machine will arrive and the IT department will re-image it, removing all the things that were shipped on the disc and replacing it with a corporate version of the OS and the applications that are required. For the consumer it is different, for a start they potentially don’t know ‘good’ from ‘bad’ when it comes to applications and if so, wouldn’t understand the consequences of installing this particular application.

If you do get a new home PC, even if it seems to have a lot of space on it, take a look at what has come pre-installed and if you don’t want it, or need it, then remove it. If you are not sure (either that you want it, or understand what it does) – then the chances are you won’t want it later on, so remove it anyway. Most of the pre-installed trial versions can be downloaded and installed at a later date if required. If you are technically savvy and want to be really sure... then format the hard disk and reinstall the OS from scratch, then you can be sure there is nothing trying to get at your information and invade your privacy.